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CCNA Security Lab 10 - Catalyst Switch Port Security - CLI 

Lab 10 

Catalyst Switch Port Security 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how enable 
the Port Security feature on Cisco IOS Catalyst switches. 

Lab Purpose: 

Port Security is a fundamental component of Catalyst switch security. This 
feature is used to provide security against CAM overflow attacks on switched 
networks. 

Lab Difficulty: 

This lab has a difficulty rating of 7/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab: 



This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs 
GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges 
used in this lab with those available on your switch. For example, if you only have 12-10/100 
FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that 
you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the 
GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute 
GigabitEthernetO/1 and GigabitEthernetO/2 with FastEthernetO/11 and FastEthernetO/12, for example. 


Lab 10 Configuration Tasks 


Task 1: 







Configure the hostname on Swl as illustrated in the diagram. In addition to this, configure the following 
VLANs on Swl: 

VLAN Number VLAN Name VLAN Ports 

10 VLAN_10_SECURITY FastEthernetO/1 - FastEthernetO/12 

20 VLAN_20_SECURITY FastEthernetO/13 - FastEthernetO/24 

Task 2: 

Configure Port Security for VLAN 10 so that all learned MAC addresses are saved to the NVRAM of Swl. 
In addition to this, ensure that only 1 MAC address per port is learned and if more than one is detected, 
the switch port(s) should be shut down. Verify your configuration. 

Task 3: 

Configure Port Security for VLAN 20 so that a maximum of 5 MAC addresses can be learned dynamically. 
If the event that more than 5 MAC addresses are detected, the switch port(s) should restrict the port(s) 
These dynamically learned entries should be flushed every 24 hours. Verify your configuration using the 
appropriate Catalyst switch show commands. 


Lab 10 Configuration and Verification 
Task 1: 

Switch#config t 

Enter configuration commands, one per line. End with CNTL/Z. 
Switch(config)#hostname Swl 
Swl(config)#vlan 10 

Sw 1 (config-vian)#name VLAN_10_SECURITY 

Swl(config-vlan)#exit 

Swl(config)#vlan 20 

Sw 1 (config-vian)#name VLAN_20_SECURITY 
Sw l(co nfig-via n)#exit 

Swl(config)#interface range fastethernetO/1 - 12 

Swl(config-if-range)#switchport mode access 
Swl(config-if-range)#switchport access vlan 10 
Swl(config-if-range)#no shutdown 
Swl(config-if-range)#exit 

Swl(config)#interface range fastethernetO/13 - 24 

Swl(config-if-range)#switchport mode access 
Swl(config-if-range)#switchport access vlan 20 
Swl(config-if-range)#no shutdown 
Swl(config-if-range)#exit 
Swl(config)#exit 


Swl# 



Swl#show vlan brief 


VLAN Name 


Status Ports 


1 default 

10 VLAN_10_SECURITY 


20 VLAN_20_SECURITY 


1002 fddi-default 

1003 trcrf-default 

1004 fddinet-default 

1005 trbrf-default 


active Gi0/1, GiO/2 
active Fa0/1, FaO/2, FaO/3, FaO/4 
Fa0/5, Fa0/6, Fa0/7, Fa0/8 
Fa0/9, Fa0/10, FaO/11, FaO/12 
active FaO/13, FaO/14, FaO/15, FaO/16 
FaO/17, Fa0/18, FaO/19, Fa0/20 
Fa0/21, Fa0/22, FaO/23, FaO/24 

active 

active 

active 

active 


Task 2: 

This Task requires the use of Fiost 1 for accurate validation. By configuring dynamic sticky learning, you 
can validate that the switch has written the learned MAC address of Host 1 to NVRAM. This means that 
the entry will not be flushed if the switch is rebooted. 

Sw l(config)#interface range fastethernetO/1 - 12 

Sw l(config-if-range)#switchport port-security maximum 1 

Swl(config-if-range)#switchport port-security mac-address sticky 

Sw l(config-if-range)#switchport port-security violation shutdown 

Sw l(config-if-range)#exit 
Swl(config)#exit 
Sw 1# 

Swl#copy run start 

Destination filename [startup-config]? 

Building configuration... 

[OK] 

Sw 1# 

Swl#show port-security 

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action 
(Count) (Count) (Count) 


FaO/1 


1 


1 


0 


Shutdown 





Fa 0/2 

1 

0 

0 

Shutdown 

Fa 0/3 

1 

0 

0 

Shutdown 

Fa 0/4 

1 

0 

0 

Shutdown 

Fa 0/5 

1 

0 

0 

Shutdown 

Fa 0/6 

1 

0 

0 

Shutdown 

Fa 0/7 

1 

0 

0 

Shutdown 

Fa 0/8 

1 

0 

0 

Shutdown 

Fa 0/9 

1 

0 

0 

Shutdown 

Fa 0/10 

1 

0 

0 

Shutdown 

Fa 0/11 

1 

0 

0 

Shutdown 

Fa 0/12 

1 

0 

0 

Shutdown 


Total Addresses in System : 1 

Max Addresses limit in System : 1024 

Swl# 

Swl#show port-security interface fastethernet 0/1 address 

Secure Mac Address Table 


Vlan Mac Address Type Ports Remaining Age 

(mins) 


10 001d.09d4.0238 SecureSticky Fa0/1 


Total Addresses: 1 

Swl# 

Swl#show running-config interface fastethernet 0/1 

Building configuration... 

Current configuration : 230 bytes 
! 

interface FastEthernetO/1 
switchport access vlan 10 
switchport mode access 
switchport port-security 








switchport port-security mac-address sticky 

switchport port-security mac-address sticky 001d.09d4.0238 

no ip address 
end 

Task 3: 

Sw l(config)#interface range fastethernetO/12 - 24 
Sw l(config-if-range)#switchport port-security 
Sw l(config-if-range)#switchport port-security maximum 5 
Sw l(config-if-range)#switchport port-security violation restrict 
Sw l(config-if-range)#switchport port-security aging time 1440 
Swl(config-if-range)#exit 
Sw l(config)#exit 
Sw 1# 

Swl#show port-security | begin FaO/13 


FaO/13 

5 

0 

0 

Restrict 

Fa 0/14 

5 

0 

0 

Restrict 

Fa 0/15 

5 

0 

0 

Restrict 

Fa 0/16 

5 

0 

0 

Restrict 

Fa 0/17 

5 

0 

0 

Restrict 

Fa 0/18 

5 

0 

0 

Restrict 

Fa 0/19 

5 

0 

0 

Restrict 

Fa 0/20 

5 

0 

0 

Restrict 

Fa 0/21 

5 

0 

0 

Restrict 

Fa 0/22 

5 

0 

0 

Restrict 

Fa 0/23 

5 

0 

0 

Restrict 

Fa 0/24 

5 

0 

0 

Restrict 


Total Addresses in System : 1 
Max Addresses limit in System : 1024 
Sw 1# 

Sw 1# 

Swl#show port-security interface fastethernet 0/13 

Port Security : Enabled 
Port status : SecureUp 


Violation mode : Restrict 




Maximum MAC Addresses : 5 


Total MAC Addresses : 0 

Configured MAC Addresses : 0 

Sticky MAC Addresses : 0 

Aging time : 1440 mins 

Aging type : Absolute 

SecureStatic address aging : Disabled 

Security Violation count : 0 

Lab 10 Configurations 
Swl Configuration 

Swl#show running-config 
Building configuration... 

Current configuration : 5684 bytes 
! 

version 12.1 
no service pad 

service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 

hostname Swl 
! 

no logging console 
! 

ip subnet-zero 
! 

spanning-tree mode pvst 
no spanning-tree optimize bpdu transmission 
spanning-tree extend system-id 
! 

! 

vlan 10 

name VLAN_10_SECURITY 



vlan 20 

name VLAN_20_SECURITY 
! 

interface FastEthernetO/1 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
switchport port-security mac-address sticky 001d.09d4.0238 
no ip address 
! 

interface FastEthernetO/2 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/3 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/4 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/5 
switchport access vlan 10 
switchport mode access 



switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/6 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/7 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/8 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/9 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernet0/10 
switchport access vlan 10 
switchport mode access 



switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/11 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/12 
switchport access vlan 10 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
switchport port-security mac-address sticky 
no ip address 
! 

interface FastEthernetO/13 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/14 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 



switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/15 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/16 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/17 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/18 
switchport access vlan 20 
switchport mode access 
switchport port-security 



switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/19 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernet0/20 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/21 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/22 
switchport access vlan 20 
switchport mode access 



switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/23 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface FastEthernetO/24 
switchport access vlan 20 
switchport mode access 
switchport port-security 
switchport port-security maximum 5 
switchport port-security violation restrict 
switchport port-security aging time 1440 
no ip address 
! 

interface GigabitEthernetO/1 
no ip address 
! 

interface GigabitEthernetO/2 
no ip address 
! 

interface Vlanl 
no ip address 
no ip route-cache 


shutdown 



ip http server 


! 

! 

line con 0 
line vty 5 15 
! 

end 
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